Question

Fail2Ban in Plesk banning Cloudflare/Digital Ocean IPs and Error Logs Showing DO IPs as errors

Hi, I am facing a very peculiar problem. Fail2Ban in Plesk is banning Cloudflare/Digital Ocean IPs due to which the website went down.

  1. Is there a way to unban all the Digital Ocean IPs in F2B? And which all are Digital Ocean server IPs how to find that?

Also, Error Logs in Plesk is Showing Digital Ocean IPs as errors. Probably they are getting masked, I remember I did a process in DO where all masked IP addresses started showing the originating IPs in the previous server. Cannot find that online document.

  1. Can someone help me with how to unmask these IPS in plesk so that error logs show original IPs and not Digital Ocean IPs.

(We use CloudFlare as well)

Thanks.


Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

KFSys
Site Moderator
Site Moderator badge
December 17, 2024

Heya,

Fail2Ban allows you to whitelist specific IPs or IP ranges using its ignoreip setting.

Edit the Fail2Ban configuration file to whitelist Cloudflare and DigitalOcean IPs.

  1. Open the Fail2Ban jail.local file:
sudo nano /etc/fail2ban/jail.local
  1. Add the IP ranges to the ignoreip line:
[DEFAULT]
ignoreip = 127.0.0.1/8 10.0.0.0/8 <cloudflare_ips> <digitalocean_ips>

Replace <cloudflare_ips> and <digitalocean_ips> with the IP ranges then save the file and restart fail2ban

sudo systemctl restart fail2ban

Show Real IPs (Unmask IPs) in Plesk Logs

When using Cloudflare or other proxies, the visitor’s real IP gets masked by Cloudflare’s IP. To fix this, you need to configure Plesk and your web server to show the original IPs.

Step 1: Use Cloudflare’s Real IP Module for Nginx or Apache

For Nginx:

  1. Install the ngx_http_realip_module:
sudo apt install nginx-extras

Configure Nginx to trust Cloudflare IPs:

  • Open the Nginx configuration file
sudo nano /etc/nginx/nginx.conf

Add the following lines to the http block:

set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
real_ip_header CF-Connecting-IP;

Replace the IP ranges with Cloudflare’s list.

sudo systemctl restart nginx

Configure Plesk to Show Real IPs

Plesk needs to use the X-Forwarded-For or CF-Connecting-IP headers for logging the real IPs.

  1. Go to Plesk Control Panel:

    • Navigate to Tools & Settings > Apache & Nginx Settings.
    • Enable Proxy Mode and Use the real IP address.
  2. Apply the changes and restart the web server.

alexdo
Site Moderator
Site Moderator badge
December 29, 2024

Heya, @sp1

On top of what’s already been mentioned, you can modify Fail2Ban filters to exclude Cloudflare or DigitalOcean IP ranges. For example, update /etc/fail2ban/filter.d/nginx-http-auth.conf:

failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP/1.1".*$ ignoreregex = <IP_RANGES_TO_IGNORE>

Additionally If you’re using Cloudflare, set up firewall rules to block malicious traffic before it reaches your server. For example:

  • Allow only specific countries.
  • Block IPs with high request rates.

Hope that this helps!

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.